oss-sec mailing list archives
CVE-2022-1199 kernel: Null pointer dereference and use-after-free in ax25_release()
From: 周多明 <duoming () zju edu cn>
Date: Sat, 2 Apr 2022 16:45:07 +0800 (GMT+08:00)
Hello there,
There are null-ptr-deref vulnerability and use-after-free vulnerabilities in net/ax25/af_ax25.c
of linux that allow attacker to crash linux kernel by simulating ax25 device from user-space.
=*=*=*=*=*=*=*=*= Bug Details =*=*=*=*=*=*=*=*=
The null-ptr-deref vulnerability is caused by "ax25->sk = NULL" in ax25_release().
The dereference sites include "bh_lock_sock(ax25->sk)" and "bh_unlock_sock(ax25->sk)"
in ax25_disconnect(), "lock_sock(s->sk)" and "release_sock(s->sk)" in ax25_kill_by_device().
The NPD bug related with bh_lock_sock(ax25->sk) is shown below:
ax25_kill_by_device() | ax25_release()
ax25_disconnect() | ax25_destroy_socket()
... |
if(ax25->sk != NULL) | ...
... | ax25->sk = NULL;
bh_lock_sock(ax25->sk); //(1) | ...
... |
bh_unlock_sock(ax25->sk); //(2)|
The NPD bug related with lock_sock(s->sk) is shown below:
ax25_kill_by_device() | ax25_release()
| ax25_destroy_socket()
| ax25_cb_del()
... | ...
| ax25->sk=NULL;
lock_sock(s->sk); //(1) |
s->ax25_dev = NULL; | ...
release_sock(s->sk); //(2) |
... |
The use-after-free vulnerability is caused by "sock_put(sk)" in ax25_release(). The dereference
sites include "lock_sock(s->sk)" and "release_sock(s->sk)" in ax25_kill_by_device().
ax25_kill_by_device() | ax25_release()
| ax25_destroy_socket()
... | ...
| sock_put(sk); //FREE
lock_sock(s->sk); //(1) |
s->ax25_dev = NULL; | ...
release_sock(s->sk); //(2) |
... |
=*=*=*=*=*=*=*=*= Bug Effects =*=*=*=*=*=*=*=*=
We can successfully trigger the vulnerabilities to crash the linux kernel.
The NPD bug related with bh_lock_sock() is shown below.
[ 178.776298] BUG: kernel NULL pointer dereference, address: 0000000000000088
[ 178.777929] RIP: 0010:_raw_spin_lock+0x7e/0xd0
[ 178.777929] Code: be 04 00 00 00 c7 44 24 20 00 00 00 00 e8 2a 29 e8 fe be 04 00 00 00 48 8d 7c 24 20 e8 1b 29 e8 fe
ba 01 00 00 00 8b 44 24 20 <f0> 0f b1 55 00 75 29 48 b8 00 00 00 00
[ 178.777929] RSP: 0018:ffff888007dcfa48 EFLAGS: 00000297
[ 178.777929] RAX: 0000000000000000 RBX: 1ffff11000fb9f49 RCX: ffffffff82482855
[ 178.777929] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff888007dcfa68
[ 178.777929] RBP: 0000000000000088 R08: 0000000000000001 R09: 0000000000000003
[ 178.777929] R10: ffffed1000fb9f4d R11: 0000000000000001 R12: 0000000000000065
[ 178.777929] R13: ffff888009f99800 R14: ffff888009f99860 R15: ffff888009f99800
[ 178.777929] FS: 00007f9651ce3700(0000) GS:ffff88806d480000(0000) knlGS:0000000000000000
[ 178.777929] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 178.777929] CR2: 0000000000000088 CR3: 0000000009876000 CR4: 00000000000006e0
[ 178.777929] Call Trace:
[ 178.777929] ? _raw_read_lock_irq+0x30/0x30
[ 178.777929] ? _raw_spin_unlock_bh+0x9/0x20
[ 178.777929] ? ax25_link_failed+0x40/0x60
[ 178.777929] ax25_disconnect+0xf6/0x220
[ 178.777929] ax25_device_event+0x187/0x250
[ 178.777929] raw_notifier_call_chain+0x5e/0x70
[ 178.777929] dev_close_many+0x17d/0x230
[ 178.777929] ? __dev_close_many+0x1c0/0x1c0
[ 178.777929] rollback_registered_many+0x1f1/0x950
[ 178.777929] ? _raw_write_lock_irqsave+0xd0/0xd0
[ 178.777929] ? dev_alloc_name+0xd0/0xd0
[ 178.777929] ? ldsem_down_read+0x410/0x410
[ 178.777929] unregister_netdevice_queue+0x133/0x200
[ 178.777929] ? unregister_netdevice_many+0x20/0x20
[ 178.777929] ? sixpack_close+0xf8/0x130
[ 178.777929] unregister_netdev+0x13/0x20
[ 178.777929] tty_ldisc_hangup+0x1ab/0x2d0
[ 178.777929] __tty_hangup.part.0+0x306/0x510
[ 178.777929] tty_release+0x200/0x670
[ 178.777929] __fput+0x104/0x3b0
[ 178.777929] task_work_run+0x8f/0xd0
[ 178.777929] exit_to_user_mode_prepare+0x114/0x120
[ 178.777929] syscall_exit_to_user_mode+0x1d/0x40
[ 178.777929] entry_SYSCALL_64_after_hwframe+0x44/0xa9
The NPD bug related with lock_sock() is shown below.
[ 727.493561] BUG: kernel NULL pointer dereference, address: 0000000000000088
[ 727.493561] RIP: 0010:_raw_spin_lock_bh+0x89/0xd0
[ 727.493561] Code: be 04 00 00 00 c7 44 24 20 00 00 00 00 e8 5f c6 f1 fd be 04 00 00 00 48 8d 7c 24 20 e8 50 c6 f1 fd
ba 01 00 00 00 8b 44 24 20 <f0> 0f b1 55 00 75 29 48 b8 00 00 00 00
[ 727.493561] RSP: 0018:ffff88801569f9c0 EFLAGS: 00000297
[ 727.493561] RAX: 0000000000000000 RBX: 1ffff11002ad3f38 RCX: ffffffff8366d960
[ 727.493561] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff88801569f9e0
[ 727.493561] RBP: 0000000000000088 R08: 0000000000000001 R09: 0000000000000003
[ 727.493561] R10: ffffed1002ad3f3c R11: 0000000000000001 R12: 0000000000000088
[ 727.493561] R13: ffff888016166700 R14: ffff888014a57dc8 R15: dffffc0000000000
[ 727.493561] FS: 00007f5cab712700(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
[ 727.493561] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 727.493561] CR2: 0000000000000088 CR3: 000000000a336000 CR4: 00000000000006f0
[ 727.493561] Call Trace:
[ 727.493561] ? _raw_spin_lock+0xd0/0xd0
[ 727.493561] release_sock+0x16/0x170
[ 727.493561] ax25_device_event+0x1a3/0x270
[ 727.493561] ? nr_device_event+0xf2/0x140
[ 727.493561] raw_notifier_call_chain+0x8d/0xd0
[ 727.493561] dev_close_many+0x227/0x400
[ 727.493561] ? __dev_close_many+0x290/0x290
[ 727.493561] ? finish_task_switch.isra.0+0x205/0x620
[ 727.493561] ? __switch_to+0x572/0xe50
[ 727.493561] rollback_registered_many+0x2e1/0x1130
[ 727.493561] ? dev_alloc_name+0xf0/0xf0
[ 727.493561] ? ldsem_down_read+0x650/0x650
[ 727.493561] unregister_netdevice_queue+0x1d7/0x3e0
[ 727.493561] ? unregister_netdevice_many+0x50/0x50
[ 727.493561] ? _raw_write_lock_bh+0xd0/0xd0
[ 727.493561] ? down_write_killable+0x120/0x120
[ 727.493561] unregister_netdev+0x13/0x20
[ 727.493561] mkiss_close+0x116/0x1f0
[ 727.493561] tty_ldisc_hangup+0x227/0x5f0
[ 727.493561] ? fasync_remove_entry+0x28/0x220
[ 727.493561] __tty_hangup.part.0+0x41c/0x910
[ 727.493561] tty_release+0x3a8/0xcc0
[ 727.493561] __fput+0x1e2/0x840
[ 727.493561] task_work_run+0xe8/0x180
[ 727.493561] exit_to_user_mode_prepare+0x114/0x120
[ 727.493561] syscall_exit_to_user_mode+0x1d/0x40
[ 727.493561] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 727.493561] RIP: 0033:0x7f6d2c9d4beb
[ 727.493561] Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 33 fc ff ff 8b 7c 24 0c 41
89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44
[ 727.493561] RSP: 002b:00007f5cab711ec0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 727.493561] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f6d2c9d4beb
[ 727.493561] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 727.493561] RBP: 00007f5cab711f00 R08: 0000000000000000 R09: 00007f5cab712700
[ 727.493561] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffee89407be
[ 727.493561] R13: 00007ffee89407bf R14: 00007f5cab711fc0 R15: 00007f5cab712700
The UAF bug related with lock_sock() is shown below.
[ 208.472360] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x71/0xd0
[ 208.472465] Write of size 4 at addr ffff88800a0e8088 by task ax25_clo_bin/1271
[ 208.472465] Call Trace:
[ 208.472465] dump_stack+0x7d/0xa3
[ 208.472465] print_address_description.constprop.0+0x18/0x130
[ 208.472465] ? _raw_spin_lock_bh+0x71/0xd0
[ 208.472465] ? _raw_spin_lock_bh+0x71/0xd0
[ 208.472465] kasan_report.cold+0x7f/0x10e
[ 208.472465] ? _raw_spin_lock_bh+0x71/0xd0
[ 208.472465] check_memory_region+0xf9/0x1e0
[ 208.472465] _raw_spin_lock_bh+0x71/0xd0
[ 208.472465] ? _raw_spin_lock+0xd0/0xd0
[ 208.472465] ? schedule+0x8e/0x120
[ 208.472465] __lock_sock+0xd9/0x140
[ 208.472465] ? sock_omalloc+0xc0/0xc0
[ 208.472465] ? _raw_spin_lock+0xd0/0xd0
[ 208.472465] ? wait_woken+0x110/0x110
[ 208.472465] ? _raw_spin_lock+0xd0/0xd0
[ 208.472465] ? _raw_spin_lock_bh+0x80/0xd0
[ 208.472465] ? _raw_spin_lock+0xd0/0xd0
[ 208.472465] lock_sock_nested+0x72/0x80
[ 208.472465] ax25_device_event+0xef/0x160
[ 208.472465] raw_notifier_call_chain+0x5e/0x70
[ 208.472465] dev_close_many+0x17d/0x230
[ 208.472465] ? __dev_close_many+0x1c0/0x1c0
[ 208.472465] ? __schedule+0x494/0xc30
[ 208.472465] rollback_registered_many+0x1f1/0x950
[ 208.472465] ? clockevents_program_event+0xd3/0x130
[ 208.472465] ? dev_alloc_name+0xd0/0xd0
[ 208.472465] ? ldsem_down_read+0x410/0x410
[ 208.472465] unregister_netdevice_queue+0x133/0x200
[ 208.472465] ? unregister_netdevice_many+0x20/0x20
[ 208.472465] ? _raw_write_lock_bh+0xd0/0xd0
[ 208.472465] unregister_netdev+0x13/0x20
[ 208.472465] mkiss_close+0xc4/0x120
[ 208.472465] tty_ldisc_hangup+0x1ab/0x2d0
[ 208.472465] __tty_hangup.part.0+0x306/0x510
[ 208.472465] tty_release+0x200/0x670
[ 208.472465] __fput+0x104/0x3b0
[ 208.472465] task_work_run+0x8f/0xd0
[ 208.472465] exit_to_user_mode_prepare+0x114/0x120
[ 208.472465] syscall_exit_to_user_mode+0x1d/0x40
[ 208.472465] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 208.472465] RIP: 0033:0x7f7900bb1beb
[ 208.472465] Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 33 fc ff ff 8b 7c 24 0c 41
89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 0c e8 71 fc ff ff 8b 44
[ 208.472465] RSP: 002b:00007f78ff9c8ec0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 208.472465] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f7900bb1beb
[ 208.472465] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 208.472465] RBP: 00007f78ff9c8f00 R08: 0000000000000000 R09: 00007f78ff9c9700
[ 208.472465] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffd364d6b9e
[ 208.472465] R13: 00007ffd364d6b9f R14: 00007f78ff9c8fc0 R15: 00007f78ff9c9700
=*=*=*=*=*=*=*=*= Bug Fix =*=*=*=*=*=*=*=*=
The patch that have been applied to mainline Linux kernel is shown below.
https://github.com/torvalds/linux/commit/4e0f718daf97d47cf7dec122da1be970f145c809
https://github.com/torvalds/linux/commit/7ec02f5ac8a5be5a3f20611731243dc5e1d9ba10
https://github.com/torvalds/linux/commit/71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac
=*=*=*=*=*=*=*=*= Timeline =*=*=*=*=*=*=*=*=
2022-01-28: commit 4e0f718daf97 accepted to mainline kernel
2022-02-09: commit 7ec02f5ac8a5 accepted to mainline kernel
2022-03-09: commit 71171ac8eb34 accepted to mainline kernel
2022-04-01: CVE-2022-1199 is assigned
=*=*=*=*=*=*=*=*= Credit =*=*=*=*=*=*=*=*=
Duoming Zhou <duoming () zju edu cn>
Best Regards,
Duoming Zhou
Current thread:
- CVE-2022-1199 kernel: Null pointer dereference and use-after-free in ax25_release() 周多明 (Apr 02)